Windows 2019 RDP cannot change expired password (NLA enabled)

T3hboy 1 Reputation point
2022-09-20T08:23:40.767+00:00

Hi
I have win2019 functional lvl, All my domain servers are Win2019.
All users that have problem with change expired password are connecting from Server 2008 or Windows 7 computers.
Problem is that no one is able to change it event when network Lvl Authentication is enabled.
We are using simple RDP session. No broker.
Is it possible to change this setting via GPO ? to be able to change expired password on domain accounts ?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,708 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,221 Reputation points
    2022-09-21T10:30:27.797+00:00

    Hello there,

    NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or who have the “User must change password at first Logon” option enabled in their useraccountcontrol user attribute. You can disable NLA and see if you can change the password.

    Change the permissions of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc to allow anonymous to read the key. If the key doesn't exist, you may create it and then add the read permissions for the anonymous account.

    You can also add a link to the password change form directly to the Remote Desktop WebAccess sign-in form. This will allow users to change their password at any time without waiting till it expires.

    Here is a link that has some additional troubleshooting steps which you can try and see if helps in overcoming your issue
    Password change for expired password failing for workgroup scenario https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/error-password-change-expired-password

    https://support.microsoft.com/en-us/topic/you-cannot-change-an-expired-user-account-password-in-a-remote-desktop-session-that-connects-to-a-windows-server-2008-r2-based-rd-session-host-server-in-a-vdi-environment-eefef3f3-246b-6b01-195d-3e240b051f82

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.